Keystrokeshttps://keystrokes2016.wordpress.com
Wed, 12 Jul 2017 22:11:23 +0000enhourly1http://wordpress.com/https://s2.wp.com/i/buttonw-com.pngKeystrokeshttps://keystrokes2016.wordpress.com
Symmetric and Asymmetric Ciphers: A comparisonhttps://keystrokes2016.wordpress.com/2017/01/13/symmetric-and-asymmetric-ciphers-a-comparison/
https://keystrokes2016.wordpress.com/2017/01/13/symmetric-and-asymmetric-ciphers-a-comparison/#respondFri, 13 Jan 2017 18:52:01 +0000http://keystrokes2016.wordpress.com/?p=1599]]>A cipher refers to a secret or disguised way of writing. The context in which it is used here is in reference to cryptographic algorithms and protocols.A Cryptographic cipher/protocol refers to a pair of algorithms to convert plaintext (data we wish to obfuscate) to ciphertext (the data in a form which doesn’t reveal its original content) and vice-versa. And it is important to keep in mind that all cryptographic protocols are vulnerable to brute force attacks (with the exception of few ciphers like one-time pad which are impractical to use) and that the security of the algorithm is based on the computational hardness or in-feasibility of attacking the cipher with a brute force approach. Cryptographic systems can be broadly divided into two families which, as the title suggests, are:

Symmetric Ciphers

Asymmetric Ciphers

Let’s look at Symmetric Ciphers first. Early encryption was restricted to government/military usage and hence most of the focus was on preventing the code/algo from being broken. We’ll see later why a different class of cryptography (asymmetric cipher) was needed. Symmetric ciphers were given the name due to the common feature of all the ciphers in this family, namely the same key being used for encryption and decryption of messages by both end nodes. Hence from the point of view of the end nodes, the cryptographic system, which consists of the encryption algorithm, the decryption algorithm and the key to be used are identical in any communication scenario between the two nodes for a given session. Data encrypted using an encryption algorithm and a corresponding key can only be decrypted using the corresponding algorithm and the exact same key. The computational hardness of the design makes guessing the exact key used, an improbability. Given the above information let’s try and imagine a scenario where this system is insufficient.

Let’s assume that some eavesdropper has taken control of all traffic moving in and out of our computer system. Since storing keys for every end node is an inefficient solution (the number of client nodes would be limited to the number of keys and storing the data of the end node and the associated key poses other risks), most applications work by issuing a per session key. For example, imagine a scenario where you wish to make use of a net banking facility and the server sends a key for you to encrypt all your data so eavesdroppers don’t get your credentials. This is fine except for the scenario where the eavesdropper listening to your network notices the server’s message sending you the key. Since you, the client node, and the server had not decided on a encryption key prior to the session, the key must be sent in cleartext. The eavesdropper can then simply replace the key the server sent you with one he wants you to use. Since you have no idea the message was modified, you assume that the key the server sent you is the one you received. To prevent random brute force, the application requires you to encrypt say for eg. your account number to make sure you aren’t accessing the services randomly. You use the key you received to encrypt your account number and send it to the server. The eavesdropper then decrypts the message using the key he sent you, re-encrypts the data with the key the server sent to make it seem to both the client and the server that the communication has no issues. This situation is named the key distribution problem, i.e. applications in which the cryptographic key is to be distributed during the session cannot make use of symmetric key encryption.An associated problem is the number of keys required. Since ideally every communicating pair in the system should have a unique key, the number of keys becomes proportional to the square of the total number of nodes (nC2, or equivalently the total number of edges in a completely connected graph of n nodes). These are the main issues to solve which, asymmetric key ciphers were invented. Before coming to whether this means that the symmetric family of ciphers are not useful anymore, it would be germane to take a look at asymmetric ciphers first.

Asymmetric key ciphers, also called public key ciphers, work with two keys per end node, a public key and a private key. As is pretty self-explanatory, the public key is known to all nodes that wish to communicate with the given node and the private key is known only to the node under consideration. The main theory behind the pair of keys is that, if encryption is performed with one key of the pair, the other is the only way to decrypt the data. Also implicitly understood is the fact that knowledge of one key of the pair, along with the ciphertext and even algorithm is insufficient to figure out the other key of the pair. The exact concept has multiple approaches each requiring an explanation of its own. So just assume that the previous properties are satisfied in a black box manner for now.So how does this solve the issues with symmetric key encryption? Firstly, let us look at the issue of the eavesdropper. Assuming that the banking server is made aware of your public key by means of a database or the first contact message you send to it, the server can encrypt the session key with your public key, i.e. the key you sent it. Since you never made your private key public, the message cannot be decrypted or modified by the eavesdropper. Repudiation issues can also be resolved by the use of public and private keys by both communicating nodes. Messages are sent to the other node by encrypting the messages using the other node’s public key and then your private key (or vice versa). Since only your public key can decrypt the message, it proves that the message was in fact sent by you. To make sure no other eavesdropper used your public key to modify the message, the first step, which was to encrypt the message using the destination’s public key, comes into play. Since only the destination node is aware of the private key, modification concerns too have been addressed. By the previous logic, it is also pretty obvious that the number of keys required for completely isolated (security wise) communication between n nodes is directly proportional to the number of nodes.

From the previous paragraph the advantages of asymmetric key ciphers over symmetric key ciphers are obvious, does this mean that symmetric key ciphers are redundant in today’s world? The answer is no. The disadvantages of asymmetric key ciphers is that encryption and decryption is based on computations that require more processing or resources, basically increasing the time (delay). Another issue is the need of an infrastructure for the distribution of unique key pairs, finding and maintaining information about which, is an issue by itself. The issue is important because there exist popular symmetric encryption algorithms that work faster than any asymmetric cipher present currently. Hence the choice between the families of ciphers becomes one of an issue between speed and the need for repudiation etc. Hence symmetric ciphers are still widely used in cases where the key needn’t be transmitted during the session. For eg, encryption of files on your hard drive etc. And based on the math and computation behind symmetric and asymmetric ciphers there doesn’t seem to be a time in the near future where symmetric keys lose their use or importance.

]]>https://keystrokes2016.wordpress.com/2017/01/13/symmetric-and-asymmetric-ciphers-a-comparison/feed/0public-vs-private-key-encryptionkeystrokes2016Survey on Image Steganography Techniqueshttps://keystrokes2016.wordpress.com/2016/08/17/survey-on-image-steganography-techniques/
https://keystrokes2016.wordpress.com/2016/08/17/survey-on-image-steganography-techniques/#respondWed, 17 Aug 2016 15:25:57 +0000http://keystrokes2016.wordpress.com/?p=1472]]>Image Steganography is one of the problems that I have been looking at during my summer break. This post will detail the techniques using which data is hidden in images. We will be primarily focusing on JPEG images. Steganography is defined as the practice of concealing a file, message, image or video within another file,message, image or video. The form of steganography we will be focusing on this post is called Image Steganography. Image Steganography is the art of hiding a information in an image. We will look at some of the most prevalent methods that were and are used to hide information in images today. But first let’s look at the history of Steganography.

History

The word steganography is derived from the ancient greek words, steganós, meaning cover and gráphō, meaning I write. The earliest recorded history of steganography is traced back to 440BC in Ancient Greece, where Herodotus mentions in his book Histories, about a king Histiaeus, who shaved the head of his servant, inscribed a message and dispatched the servant once his hair had grown, thus successfully hiding the message. Stegnography was again thrown into limelight during WW II, when methods from invisible ink to encoding morse into yarn to make clothes were employed to get commands and information to and from enemy territories. Modern steganography again entered the limelight with the widespread advent of computers. The basic idea is to hide relevant information in the lower bits/noise where the effect of the change in data is negligible/unnoticeable. Let’s look at some of the methods by which this is achieved.

Method 1: Direct Overwriting

The main motivation behind this method is the fact that a change in a pixel is too small for human eyes. The following image contains an image in which the text beside it is hidden. This is generated using the steghide tool on Ubuntu, which takes a graph theoretic approach.

The way the steganography algorithm works is, a seed value is taken from the user to generate a pseudo random stream of pixel positions. The information to be hidden is compressed and is stored in a buffer in buckets of size 24 bits (becuase in JPEG format the color in each pixel is represented using 3 bytes). For now assume that the software overwrites all the randomly generated pixel positions with the values in the buffer (The actual algorithm steghide uses is a bit more optimised, but we’ll have a look at that in another post dealing with a tool to detect such steganography).

Method 2: LSB (Least Significant Bit) Algorithm

The next development in image steganography technique was that though direct overwriting worked, the anomalies stick out sorely if someone analyses the image at pixel level. So the information was hidden in the LSB of all the color values. For eg. in JPEG images, a byte is used to represent each of the color Red, Blue and Green , thus using three bytes per pixel, i.e. allowing for 3 bits of information to be stored per pixel if 24-bit color was being used. For Example let’s assume that a pixel contains the value (10001111 00000000 11111111) and the message to be hidden in binary in 010, the pixel would now contain (10001110 00000001 11111110). This method is based on the fact that slight variations in pixel values are even more unnoticeable to human eyes. The following image will show you how. Look at the first image and only once you’ve identified which of the three is the odd one out, look at the second image. If you’re trying to convince yourself that it was obvious and you were lazy, cover the values and look at the images again.

Method 3: LSB modification of DCT co-efficients

To understand how exactly this steganographic modification is very effective, a very lengthy discussion about the lossy compression part of JPEG is necessary (easily a separate post by itself, one for later). But for now let’s take the abstract simpler version for the current scenario. The basic fact to know is that the JPEG image is broken into blocks of size 8×8 and each of these blocks can be uniquely represented by the linear combination of cosine functions of various frequencies. Note that this form of compression is lossy,i.e. not all the data is preserved. What we get as a output of this transformation(also called Discrete Cosine Transformation or DCT in short) is a set of co-efficients for the linear combination. The coefficients can have floating points. To save space, the floor function is applied to the co-efficients.Up till this point is normal procedure, where the steganographic step comes in is now. The message to be hidden (in binary) is stored in the LSB representation of the co-efficients, effectively either increasing or decreasing the co-efficients by one. This is the basic idea behind this method of steganography. I will be posting a more detailed post on the compression method and then explain this method further I suppose.

]]>https://keystrokes2016.wordpress.com/2016/08/17/survey-on-image-steganography-techniques/feed/0Steganography04072015keystrokes2016GraphImgStegRedSteg1RedStegPreliminary Static Analysis of Malwarehttps://keystrokes2016.wordpress.com/2016/06/12/preliminary-static-analysis-of-malware/
https://keystrokes2016.wordpress.com/2016/06/12/preliminary-static-analysis-of-malware/#respondSun, 12 Jun 2016 18:12:08 +0000http://keystrokes2016.wordpress.com/?p=1416]]>In this post let’s take a look at the basic methods of analyzing a file statically. Static methods of execution involve those methods of analysis in which the file is not executed. Though it is highly probably that a malware sample currently in the wild will not yield substantial information on being statically analyzed, it provides a good starting point. Let’s take a look at some of the steps that are involved in preliminary static analysis.

Step 1: Multi-AV scanners

Most people have an anti-virus installed on your devices. Though most people expect it to be a golden bullet against malicious software it is not so. Hence why depend on the result of analysis of one anti-virus engine, when you could have the file scanned by multiple anti-virus software. This is where multi-AV online scanners come in. Most of these websites are free and the software is regularly kept up to date. These websites scan the uploaded files using all the anti-virus engines they have and present a comparative reasult. Here is a list of some common multi-AV online scanners:

VirusTotal

Metadefender

VirScan

Jotti

NoVirusThanks

Step 2: Detecting if sample is packed using PEiD

Malware authors may often pack(obfuscate/encrypt/distort the actual byte pattern) to make preliminary analysis of the assembly level code hard/impossible. Since the original byte patterns are now modified, disassemblers will read alternate instructions if at all. This leads to significant loss of information that can be learnt statically. Though packed malware are very common nowadays, the good thing is that malware is often constructed by putting together modules, i.e. the packing function may be written by an author, the viral engine by another and so on. Hence there are certain behavioral or structural patterns that a software called PEiD uses to detect if the sample has been packed using a common packer, if so the corresponding unpacker could be used. Note: Not all packers can be detected using PEiD, the main usefulness of PEiD is that it can detect the packer/compiler used to produce the program. The information about whether the sample is packed or not can also be inferred by digging into the hex code or import/export tables in the Portable Executable.

Step 3: Mining the Portable Executable using PEview

The portable executable stores a lot of valuable information about the executable including details about when the executable was compiled, the functions it imports and the dll’s it imports from and so on. This information is presented in a nice format by the tool PEview. The things to notice in the portable executable headers are whether the compilation time is a valid time, whether the file alignment and the section alignment seem reasonable or indicate compression or packing, the size of segments, discrepancies raw data size and virtual size of sections and so on.

Step 4: Checking the dependencies of the executable using Dependency Walker

The easier way to analyze all the functions that are imported by an executable is using a software called Dependency Walker. We can try to predict the family or action of the sample file simply by analyzing the functions that it calls. A lack of functions almost always indicates obfuscated/ packed sample.

Step 5: Looking at the strings defined in the programs

Sometimes some important information such as the ip address of the command and control server, or the file that is created as an infection marker etc. are harcoded. Hence looking at all the strings in the executable might give us valuable information.

These steps only provide a very basic static analysis mechanism, though if any information is gained here, it is of substantial value. Future posts may detail advanced methods.

]]>https://keystrokes2016.wordpress.com/2016/06/12/preliminary-static-analysis-of-malware/feed/0042915_1047_MalwareAnal2keystrokes2016Virustotal_2PEviewDependencyExperiments with PE section and Assembly: Flexibility of Section Definitionhttps://keystrokes2016.wordpress.com/2016/06/03/experiments-with-pe-section-and-assembly-flexibility-of-section-definition/
https://keystrokes2016.wordpress.com/2016/06/03/experiments-with-pe-section-and-assembly-flexibility-of-section-definition/#respondFri, 03 Jun 2016 18:44:03 +0000http://keystrokes2016.wordpress.com/?p=1320]]>We have analysed the basic structure of a Portable Executable, to delve into the structure of executable files. We have seen the basic types and purposes of sections in the executable files. In the post pertaining to sections, we mentioned that the definition and the use of section is variable. We’ll have a practical example of the following. Let’s take a look at traditional/conventional code first:

and the corresponding section table of the Portable Executable in hex:

Now let’s look at a modified version of the code, with the corresponding section table:

As we can see even if the sections are given random names, they are reflected in the executable file and does not seem to cause any problems. There are two things that are to be noticed in this code. This first thing that is established from the two different executables are that the names of the sections are not binding properties. The next obvious question is what then defines the sections? The answer is that the defined sections are not the strictest rules but are more like guidelines. If you remember in the section table, one of the fields in the section data structure is characteristics, which are flags that dictate the behaviour of the section . It is this field that decides the behaviour of the section. Correspondingly, in the assembly code it is the circled part of the following line that decides that behaviour of the section To prove it is so , if the code is read carefully, the data section is defined as executable and the code in the .text section does take a jump to the code in this section and back. This is valid as long as the section has been given the permission to execute binary patterns at offsets in it’s section.

But the main point to note is that since compilers form the executables, the creation of sections and the components and characteristics, such misuse rarely occurs since it involves coding in assembly or modifying the compiler itself.

]]>https://keystrokes2016.wordpress.com/2016/06/03/experiments-with-pe-section-and-assembly-flexibility-of-section-definition/feed/0charflagkeystrokes2016AssemblySectionsAssemblyHexModAssemblyHexAssemblyHexcharflag.pngPE File structure: Sectionshttps://keystrokes2016.wordpress.com/2016/06/03/pe-file-structure-sections/
https://keystrokes2016.wordpress.com/2016/06/03/pe-file-structure-sections/#respondFri, 03 Jun 2016 17:51:45 +0000http://keystrokes2016.wordpress.com/?p=1324]]>We have already looked briefly at the the DOS and PE headers in the first post on Portable Executable format. In this post we’ll have a closer look at the sections in portable executable files. The bulk of the executable that contains code that the programmer codes lies in sections. The purpose of sections is to provide a logical and physical separation to the different parts of a program. It also helps while loading the executable file into memory during execution. Since different sections make access and loading in pages easier. The abstract view of a portable executable file is as shown in the figure:

As we can see most of the file consists of sections. It is important to know the different types and their importance. All PE files contain atleast 2 sections: the code and the data section. An application for Windows NT has 9 pre-defined sections named .text, .bss, .rdata, .data, .rsrc, .edata, .idata, .pdata and .debug. Not all applications need all the sections and some applications may need a different kind of section. The sections that are most commonly present in an executable are:

Executable Code Section (commonly named .text)

Data Sections (of which .data, .rdata, .bss are types)

Resources Section (commonly named .rsrc)

Export Data Section (commonly named .edata)

Import Data Section (commonly named .idata)

Debug Information Section (commonly named .debug)

Note that the names are not binding since the OS does not bother with the names of the sections and in fact discards the names. The operating system finds, extracts and manages the different sections using a data structure known as the Section Table. The section table is an array of the IMAGE_SECTION_HEADER structure, each of them containing information about one section. The information that the structure contains, includes but is not restricted to, the virtual size, virtual size and characteristic flags (which contain information about whether the section contains executable code or readable data,write permissions nd so on). The number of entries in the section table are therefore equal to the number of sections defined in the executable file. Let’s take a look at some of the sections:

Executable Code (Code\.text ) Section

This section contains all the code in one large section. Since modern OS use paging, having a larger unified code section makes it easier for both the OS and the programmer to manage and develop.This section contains the code from where execution starts and pointers to the import table.

Data Section

The .bss section type of data section represents uninitialized data. This is to reduce the size of the executable file. Since some variables may not have values until the program is executed, it becomes a waste of space to declare and allocate space in the executable file. Hence the .bss section is used to declare the variables in the memory during execution. The .rdata section contains data that is to be only readable, such as literal strings, constants and debug directory information. Data which does not fall into the any of the two above categories, falls into the .data section.

Resources Section

The .rsrc section contains resource information for a module. The first 16 bytes compromises a header like other sections, but this section’s data is further structured into a hierarchy.

Export Section

The .edata section contains the Export Directory for an application or DLL. It basically contains the information about the names and addresses of exported functions. Dynamic Linked Libraries provide a way to modularize applications so the functions can be reused and reused more easily. This section contains a export directory that provides the address and offset of the functions to programs that import the DLL.

Import Section

The .idata section contains various information about imported functions including the Import Directory and Import Address Table. The most important of the structures defined in this section is the Import Directory and the Import Address Table. The import section makes implementation of modularity easier. Since the DLL can be modified at any time, the import section protects the application from such changes.

Debug Information Section

Debug information is initially placed in the .debug section. The PE file format also supports separate debug files as a means of collecting debug information in a central location. This section contains the debug information.

Practical View using Assembly

The above program is assembly code, compiled using FASM. It’s visible that there have been three sections defined, note that there is also an import section defined in the training.inc file included. The executable file that is formed as a result of compiling the above is this:

The screenshot basically shows the hex code version of the section table. We can see the name of the sections as defined in the code. Further posts detailing more intricate details of Portable Executable files is in the works.

]]>https://keystrokes2016.wordpress.com/2016/06/03/pe-file-structure-sections/feed/0AssemblySectionskeystrokes2016aaAssemblySections.pngAssemblyHexMachine Learning and Data Mining methods used in IDShttps://keystrokes2016.wordpress.com/2016/05/29/machine-learning-and-data-mining-methods-used-in-ids/
https://keystrokes2016.wordpress.com/2016/05/29/machine-learning-and-data-mining-methods-used-in-ids/#respondSun, 29 May 2016 18:18:37 +0000http://keystrokes2016.wordpress.com/?p=1248]]>Approaches to security takes one of the two forms: Proactive security solution or Reactive security solutions. Conventionally, proactive security solutions are designed to maintain the overall security of the system under the event of compromise of individual components by an attack. Intrusion Prevention Systems (IPS) come under the class of proactive solutions. Reactive Security Solutions are systems used to recover from losses, contain infections and so on. Intrusion Detection Systems (IDS) come under the class of reactive solutions. Intrusion Detection Systems are what we’ll look at today. An IDS is a software application or device that monitors network or system activities for malicious activities or policy violations. A cyber intrusion is characterized as any unlawful attempt to access, manipulate, modify or destroy information or to use the systems to perform further actions without the consent of the people with the authority.

An IDS basically monitors the network and system activities. It assumes that all intrusions leave a trace and that this trace is different from that left behind by routine processes. The activities that the IDSs use to identify or define normal or deviant behavior can come from a variety of sources. Hence according to the methods of detecting or defining this behavior be have the following classifications:

Signature Detection

Anomaly Detection

Hybrid Detection

Scan Detector

Profiling Modules

I.Signature Detection

This method of raising alarms is primarily when the kind or type of intrusion is known (i.e. has been encountered before). This technique basically measures the resemblance between the currently occuring events and traces of known cyber misuse. Hence it flags behavior that shares similarity with the traces of known events. Thus this method is good for those attacks that are already known and with the added advantage of a low false positive rate. The disadvantage, which is quite obvious, is the ineffectiveness of signature based detection against new attacks.

II. Anomaly Detection

Anomaly detection takes a variation of white-listing approach to behavior tracing. Anomaly Detection triggers alarms when the object under surveillance behaves notably differently from the predefined normal patterns. Anomaly detection consists of two steps: training and detection. In the training step, machine learning techniques are applied to generate a profile of acceptable behavioral patterns . In the detection step, the input events are labeled as attacks if the traces deviate significantly. The advantage is that this method works against attacks that haven’t been seen before. The disadvantage is that this method is prone to a high rate of false positives. Feature selection and defense against adversarial machine learning attacks play a very very crucial role.

III. Hybrid Detection

Since the disadvantages of signature based detection techniques i.e. no defense against novel attacks is covered by anomaly detection and the disadvantage of anomaly based detection, i.e. high false positive rate can be covered by signature based detection. Hence the next step is to combine both approaches to make up for each others shortcomings.

IV. Scan Detection

Scan Detection methods are those techniques that raise flags when adversaries scan services or machines being monitored by the detection mechanism. Since scans are usually precursors to attacks, this detection technique also provides valuable information such as the source and the target IP etc. Although many techniques have been thought of, all such methods are plagued by high false positive rates and low true positive rates.

V. Profiling Modules

Profiling modules work by trying to group connections, processes, hosts etc. using clustering, association mining and so on by their behavior.Profiling makes use of extraction, aggregation and visualization. This too is a method that is highly dependent on the features, basically the machine learning and the data mining parts. Hence this method too hasn’t enjoyed much practical success.

We have seen a brief introduction to each of these methods.I’ll try analyzing some papers in further posts detailing some methods or approaches for each of the above.

]]>https://keystrokes2016.wordpress.com/2016/05/29/machine-learning-and-data-mining-methods-used-in-ids/feed/0cybersecuritykeystrokes2016N-Grams & PE features: Malware Static Featureshttps://keystrokes2016.wordpress.com/2016/04/14/n-grams-pe-features-malware-static-features/
https://keystrokes2016.wordpress.com/2016/04/14/n-grams-pe-features-malware-static-features/#respondThu, 14 Apr 2016 14:10:11 +0000http://keystrokes2016.wordpress.com/?p=1052]]>In this post, the second in series pertaining to analysis of the most common static features used to in the detection and classification of malware. In this post we analyse the features n-grams and PE file features.

N Grams

An n-gram is basically a contiguous subsequence of n items from a given sequence of items. In the context of malware detection and classification, the term n-gram would refer to the byte code n-grams or opcode n-grams. Opcode is basically that portion of machine language that specifies the operation to be performed. The basic procedure is to have a corpus of malicious programs and extract the most common n-gram bytes i.e. the most common sequences of n bytes that appear in all of the malware or atleast in a particular class/family of malware. Hence there are two variables in this approach, 1. the size of the window n and 2. the number of such frequent sequences used to profile the class, called the profile length. In the research paper [1], Abou-Assaleh et al, take labelled malicious and non-malicious programs and extract the most common n-gram bytecode features and use the k-nearest neighbour algorithm to classify new instances into families of malicious or non-malicious programs.

In [2], Moskovitch et al, use Opcode n-grams since it made more semantic sense. Plus simple post-processing could be done to abstract the code a bit by discatding the parameters and simply considering the sequence of opcodes. Rare patterns could be directly used as signatures. The reason behind this method was that new malware are rarely built from scratch, the generation engine or the polymorphic engine could be copied which would lead to specific sequences that provide high accuracy in detection of malware. In [3], Santos et al, use a weighted representation of the opcode sequences in malicious and benign programs, the logic being the rarer the opode sequence the better it was in classifying malware. The methods are not completely helpless against polymorphic or metamorphic malware, since the most frequent opcodes returned would be that for the encrypting code, which too is a highly re-used piece of code.

PE File Features

The Pe (Portable Executable) is a file format for executables, DLL’s and other files that contain code that is to be executed and must be loaded into memory. So PE is basically a data structure that encapsulates the information that is necessary for the OS Loader to manage the executable code. It contains a number of headers that tell the dynamic linker how to map the file into memory. One of the other important sections is the Import Address Table that contains the list of modules/ libraries that are used by the program during execution. In the paper [4], Ye et al, built a parser that parser through the PE of the file that extract the information from the IAT and extract strings that contain interpretable semantic meaning. The paper explicitly states that the files that are used in the training of the SVM, are all unpacked executable files. The reason for this is but obvious since all static feature based approaches face this problem against detection of malware.

IP addresses for a given host are of two types: static and dynamic. Static IP address means that the host machine uses only the fixed IP as its address. This is discouraged since it would be very easy to map the IP address to the host machine with preliminary sniffing and analysis. The alternative is to use a dynamic IP address, ie., one that changes regularly. Most people access the internet from within a private network with only one or two public addresses. The previous statement requires some explanation. The IPv4 address uses 32 bits (ipv6 is still a few years away from widespread use, so let’c concentrate on IPv4 for now). Hence that only gives us 2^32 (about 4.2 billion) possible addresses, as we know considering the total number of devices, that number is certainly not enough. Hence we define some address as private address, i.e. addresses that are to be used only within private networks, hence two disjoint private networks can have the devices with the same private networks, but it wouldn’t matter anyway since the two networks are disjoint anyway. The private networks would be assigned one or two public IP addresses, through which all the communication to outside IP addresses are routed, hence increasing the number of devices that can be connected to the internet. The private IPv4 ranges are: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255 and 192.168.0.0 – 192.168.255.255.

DHCP:Use

Now back to the matter at hand, now assuming that you have a host (PC) that uses dynamic IP and since you are most probably a part of a private network, an entity is needed to dynamically assign IP address to all the hosts and to make sure no two hosts have the same IP addresses. The client/server protocol that does this is DHCP (Dynamic Host Configuration Protocol). A daemon (the client part) runs on the hosts, and connects to the DHCP server which responds with the IP address and other required information such as the default gateway and the subnet mask and so on. The question that would arise from the other information is this, how does the DHCP server know which IP is assigned to which host? (The need for this is obvious, if all outgoing communication is through one address, some mechanism is needed to multiplex the in coming message to the correct host) This is done using an identifier that is unique to all devices called MAC address (Media Access Control). No two devices have the same burned in (default/normal/true) MAC address. Hence when a host contacts the DHCP server, the internal data structure can be thought of as a dictionary or hash map where the key would be the MAC address and the value IPv4 address or vice-versa.

DOS-ing DHCP: DHCP Consumption Attack

Since we know that a request to a DHCP server from an un-encountered MAC i.e. an MAC address that has not already been assigned an IP address, is graced with an IP address, all we have to do to execute a Denial of Service Attack on the DHCP service is to occupy all the IP address to block legitimate users. To do this if MAC were a foolproof system we would have to have a large number of devices, but since at packet level all we need to do is manipulate the network adapter to produce packets with different MAC addresses requesting an IP. This can be done using the MACCHANGER tool that temporarily changes the MAC address of the host. Mitigation techniques include trusted port filtering, preventing ARP poisoning etc.

]]>https://keystrokes2016.wordpress.com/2016/04/03/dhcp-dynamic-host-configuration-protocol/feed/0DHCPkeystrokes2016Hash Value : Malware Static Featureshttps://keystrokes2016.wordpress.com/2016/03/21/hash-value-malware-static-features/
https://keystrokes2016.wordpress.com/2016/03/21/hash-value-malware-static-features/#respondMon, 21 Mar 2016 18:15:38 +0000http://keystrokes2016.wordpress.com/?p=980]]>Some of the posts in the future which contain the title Malware Features explain certain features that are used to classify/identify malware using the machine learning approach. We begin this series by analysing the static features first. The first feature that we are going to look at is hash value. Basically the point of a hashing function is to produce a unique value from a given input. The input in this case would be a binary executable.

Some of the common hashing algorithms one would have come across include MD5, SHA1 and so on. Some of the features that such algorithms have to satisfy are:

Pre-Image resistance: It must be impossible to reconstruct the input data from the hash value.

Second Pre-Image Resistance: It must be impossible to modify the input without changing the hash value of the bit. (This must be valid even for change of a single bit.)

Collision resistance: It must be impossible to have two different inputs that return the same

Because cryptographic hashes have the following properties, they have a lot of use in information security field, such as digital signatures, message authentication codes and to make sure files have not been modified during transfer or such. If the original unmodified version of a file gives a specific hash value, then theoretically anyone who receives the file through any means or mode, simply just has to check the hash value to make sure he has received the copy as was intended by the author.Let’s look at an example using the MD5 hash function on image below:

What we do is calculate the hash value of this image. Then open the image in a hex editor and change just 1 byte of data. The hash value is then calculated for the modified file. Let’s look at the results and then discuss what this implies:

As we can see the change of a single bit in the image which does not even produce a human notice-able difference in the image produces a hash value that bears no similarity to any inferable extent. This is a problem, because if the malware simply replaces/changes the names of the variables, the fingerprint generated using hash value would be rendered useless.This is a problem. To counter this problem, the concept of Fuzzy Hashing was introduced.

Fuzzy Hashing

Fuzzy hashing is basically a concept which tries to represent the output of the hash as a percentage similarity of two files. This could be used to defeat the previous case. Hence problems in which the labels or such are changed in the code. The following image shows the fuzzy hash of the two images using a command line tool called ssdeep.

As is apparent the only difference in the hash value using fuzzy hashing is the character after HqqH. This is achieved by basically breaking the input piece-wise and calculating individual hashes.

Why this feature is not enough

The fuzzy hash helps only if there are minute changes in the binary code. If the malware author uses an encryption engine to encrypt the files using different keys and/or additional plaintext elements (polymorphic or metamorphic malware), then this approach is effectively defeated since the binary encrypted forms by definition cannot be the same or even closely related. This approach can be used for in memory hashes though, since no matter how they are encrypted and stored on the disk, malware will have to be decrypted before execution in main memory. The obvious downside would be the real-time lag that would be induced by the use of such real time monitoring systems.

]]>https://keystrokes2016.wordpress.com/2016/03/21/hash-value-malware-static-features/feed/06a0120a85dcdae970b016303bd99fb970d-800wikeystrokes2016lena.jpgWindows XP Professional-2016-03-21-19-51-09.pngTechniques for Protection against Stack Smashinghttps://keystrokes2016.wordpress.com/2016/03/15/techniques-for-protection-against-stack-smashing/
https://keystrokes2016.wordpress.com/2016/03/15/techniques-for-protection-against-stack-smashing/#respondTue, 15 Mar 2016 19:39:03 +0000http://keystrokes2016.wordpress.com/?p=958]]>Stack Smashing is the technique of inserting payloads into the stack taking advantage of a stack overflow vulnerability. A number of methods to protect against this type of attack have been currently implemented in compilers and in operating systems. This post lists the defence mechanisms employed against stack smashing. They are:

Stack Canaries

Data Execution Prevention (DEP)/ Non Executable (NX)

Address Space Layout Randomization

The main aim of the above methods is to prevent control flow hijacking and to prevent the knowledge of the layout of memory, making attacks such as return-to-libc hard to achieve, since the attacker will not be aware of the address at which the code resides.

Stack Canaries

Stack Canaries are nothing but random integers or characters placed around the return addresses in the call stack. The purpose of these random strings is to provide an provide an indication about whether the address has been modified. Since these canaries are random, the buffer overflow will in all possibility modify the canaries and hence the compiler will recognise the modification to the return address and stop execution effectively preventing the hijacking of control flow.

Data Execution Prevention and NX bit

The logic behind the Non Executable bit (known as eXecutable Disable (XD) bit in Intel architecture and eXecute Never (XN) in ARM) is a method of marking certain regions of the memory as non-executable i.e containing only data and no executable instructions. This general technique is called Executable Space Protection. The implementation of the same at the level of Operating Systems (software solution), specifically in Windows OS is called Data Execution Prevention. Note that the NX bit can still be accessed by programs using the VirtualAlloc and VirtualProtect Win32 calls.

Address Space Layout Randomization

Address Space Layout Randomization involves storing different parts of the address space such as the base of the executable, stack ,heap and libraries of a process at pseudo random locations so as to prevent reliable access by an attacker using a buffer overflow vulnerability. This technique is still not foolproof as it turns moot if there exists a dangling pointer vulnerability. More on this later in a separate post.